[development] Fully patched site hacked and cloaked

Tomáš Fülöpp (vacilando.org) tomi at vacilando.org
Wed Jan 27 11:16:44 UTC 2010


This is to share an (unpleasant) experience I had yesterday on a hacked site
of a client (hacked despite fully patched modules and D6.15).

It was apparent hackers used a cloaking method, i.e. the site appeared just
fine to users but search engines saw a page full of drug advertisements.

I found no trace of changes via user activity (revisions, user last access,
etc.) and there was nothing suspicious in the source code of the cloaked

Eventually I found that the file bootstrap.inc had been altered (without
changing the time stamp!) -- a whole chunk of obfuscated PHP code was added
at the top of the usual Drupal code.

I responded by reloading Drupal and locking up the site even more than up to

This is to warn others about this hacking method, which may not be
immediately apparent to webmasters.

If anybody is interested in studying the obfuscated PHP code I found there,
please contact me off the list.

I also wonder whether Drupal could be adjusted so as to automatically set
file bootstrap.inc, and perhaps other critical ones, as read-only. So far it
is done only with settings.php file.



Tomáš J. Fülöpp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100127/8e60a80f/attachment.html 

More information about the development mailing list